I just finished attending Interop Las Vegas where I gave a talk entitled “BYOD Security and Privacy.” In walking the show floor and attending a variety of sessions, there was little doubt that Bring Your Own Device (BYOD) is a hot topic that cybersecurity professionals are struggling to get their arms around. The challenge is further magnified by the fact that this trend is less one of technology than one of culture for organizations. Executives, often will little stated business benefit, are demanding to use their cool-looking tablets in the corporate environment. Ordinary users complain of having to carry two smart phones and suggest they can be more productive if they could simply access corporate applications like e-mail on their personal smart phones. While cost savings from moving to BYOD are suggested, the evidence is weak at best, particularly with direct costs such as managing and supporting multiple platforms, the loss of volume purchasing capabilities for devices and service plans, and employee reimbursement requests that can grow unexpectedly. Everyone seems to be betting on productivity gains, and while the verdict is not in, I would not be overly optimistic for most enterprises. Even before security and privacy are considered, BYOD has a number of strikes against it. But considering the forces that are moving information technology departments in that direction, it is inevitable that many, if not most, companies will have fairly comprehensive BYOD programs covering far more than just e-mail.
So, that begs the question of just how far we should permit BYOD within the control system environment. So far we’ve seen little evidence of that occurring. Homeowners may be controlling their thermostats from their smart phones, but power plant operators are not controlling boiler temperatures with, really, any mobile device. But one can speculate that such mobile solutions are just around the corner. Field employees already use handheld devices to read meters, measure line voltages, and receive outage data. Increasingly, the communications interface and the applications are available in conventional smart phones, often at a fraction of the price of utility specific models. Could this evolve to personally owned devices?
What we’ve seen throughout history is that efforts to resist processes or products that improve productivity or just make life easier inevitably fail. However, those willing to be proactive can shape how that innovation occurs so that safety and security are taken into consideration. As security professionals, that is our mission, not to stop things, but instead to help guide change. While this notion is nothing new, we often need reminders when the next advance in technology makes us recoil and insist it can never happen. Let’s make sure we channel that energy towards something productive.